These Are The Three Most Dangerous and Vulnerable WordPress Plugins

how to easily wordpress website hacked

Everyone focuses on preventing their WordPress website from being hacked. Today I’m going to show you just the opposite – how to quickly and easily get your WordPress business site hacked with little effort on your part.

You may have noticed more and more talk online about hacking and the dangers it presents to your small business WordPress website.  Not surprising.

According to the Sucuri Website Hacked Trend Report 2016, in March 2015 Google listed 17 million compromised websites. One year later that figure was at 50 million.​

Google’s Safe Browsing page holds some interesting data if you care to delve into it.  They currently detect around 40,000 infected websites every week.

The most worrying point to me is that webmasters' response rate in dealing with these infections has actually become much slower while reinfection rates have become much higher.  

This points to two things:

  1. Webmasters are becoming increasingly more overwhelmed with the volume of work they must deal with.
  2. Many webmasters have an inadequate amount of knowledge to do so effectively.

Webmasters' response to  malware infections has become much slower while reinfection rates have become much higher - Sucuri

Click to Tweet

I've mentioned the main reason for this trend before but here it is again from the Sucuri report:

WordPress’s ease of implementation … introduces a large influx of unskilled webmasters and service providers responsible for the deployment and administrations of … websites

Going on ...

"75% of [infected websites] were on the WordPress platform and over 50% of those websites were out of date. Many infected websites are attacked through old security vulnerabilities in just three WordPress plugins that have not been updated."

This is all great news for the hacker community and the small business owners who really want a compromised WordPress website!

welcome hackers source: unsplash, Gabby Orcutt

In this post I’ll show you how to speed up the hacking trend and make it easier for the hackers to find a vulnerable spot in your WordPress website by installing the most dangerous plugins.


What’s a plugin?

WordPress Plugins allow the easy modification, customization and enhancement of a WordPress website. Instead of changing the core program code of WordPress, you can add functionality with WordPress Plugins.

Here's a basic definition:

A WordPress Plugin is a program or a set of one or more functions written in the PHP scripting language, which adds a specific set of features or services to the WordPress site.


Programmers around the world write these plugins and make them available for anyone with a WordPress website to install and use on their own site.

Generally, most programmers do a good job of following the WordPress programming guidelines and regularly update their plugins to fix reported problems.

Ultimately, however, the only person responsible for making sure your WordPress website has these latest versions of plugins is you, the owner of that website!

Again, there's good news here for hackers, 50% of website owners do not regularly apply these updates. So, if a plugin has not been updated, any security problems found can still be active years after the programmer repaired the problem.

​For example, remember the Panama Papers, the largest data breach in history?  That attack was successful in part because of a very outdated version of one of the plugins on our list below, RevSlider.

Disclaimer – these plugins are not inherently dangerous. The programmers generally do a very good job of keeping the plugins updated and secure. The problem stems from their widespread use and the failure of website owners to keep them updated.

To be successfully hacked you must install the outdated version and be sure to never, ever update the software! Like the recent WordPress hacking spree.

The three most dangerous plugins you should install if you want to get hacked

These plugins are the point of entry into a large proportion of hacked Small Business WordPress websites in the past few years.

RevSlider has quite a history of vulnerabilities in WordPress:

(And I'm sorry RevSlider guys, but I'm instantly suspicious of anyone​ who claims 100% security.)

2. Gravity Forms

​You may have noticed something interesting here - two of these plugins are Premium plugins, i.e. plugins that are not free like most WordPress plugins, but must be paid for.  

Perhaps their prevalence in hack attacks is simply indicative of their widespread use?  Or perhaps it's indicative of a poor update notification or implementation process?  I don't know as I don't use any of the above but it's food for thought.

​More Great News For Hackers

Here’s the great news that must have hacker teams rolfing in their bunkers: all three plugins have had fixes available for years!  AND Lots of WordPress users have still not updated their plugins!  Tim Thumb has had a fix for 4 years!

Tim Thumb has had a fix for 4 years and it's STILL one of the top 3 most hacked WordPress plu​gins!

Click to Tweet

Sucuri sums it up beautifully:

The leading cause of compromises in today’s websites comes from the exploitation of software vulnerabilities found in out of date software, specifically in its extensible components, as outlined above in the WordPress platform. The idea of patch and vulnerability management are not new concepts in the world of security or technology. But in the world of everyday business operations, the non-technical staff, it is.

As the technical aptitude required to have a website drops, the inverse will be seen in attacks (increasing as they are dependent on its weakest link, the webmaster). There is a sharp drop off in the knowledge required to have a website, which is breeding the wrong mindset with website owners and service providers alike. This leads to a rude awakening for website owners as established entities, like Google, take a hard stance against malicious websites

​Wrapping It Up

Now, I'm fully aware that you don’t really want to be hacked so I hope you've cottoned on to my tongue-in-cheek approach in this article!  Simply do the opposite of what this post says - install old versions of these plugins and never update them - and you’ll be safe from the most common WordPress plugin hacks.

If you read elsewhere on this site you'll see a commonly-preached, simple solution to this entire problem - update your website regularly!

What Did I Miss?

Do you use one of these dangerous and vulnerable WordPress plugins on your small business WordPress website? Have they caused problems?

Did I miss any major vulnerable plugins ?

Let me know in the comments and if you found this article useful please share it freely.


Eager to learn more about WordPress Security ?

Download the FREE bonus Security Resource List, use the resources in there and your website will be safer than 90% of sites out there.

  • by Seán
  • |
  • March 14, 2017
Click Here to Leave a Comment Below
Why WordPress is Wrong for your Business | WPStrands The Leading Affordable WordPress Maintenance Solution - April 7, 2017 Reply

[…] it’s not just because WordPress is so popular and website owner knowledge is often not enough to effectively manage the site on an ongoing basis, as I’ve written about […]

Leave a Comment: